HSTS implementation bug?

sksksk · ‎03-24-2022

We currently utilize a realm name to access our VPN so for example we access pulse through: https://mypsa5000.com/realmname

We have HSTS enabled and when testing:

curl -D- http://mypsa5000.com/realmname

We correctly get the "HTTP/1.0 301 Moved Permanently"

However, if we test just the base URL:

curl -D- http://mypsa5000.com

We no longer receive an HSTS header. (just a 404)

On a normal apache webserver requesting a page that should technically be a 404 still gives the "HTTP/1.1 301 Moved Permanently" instead.

As a result, scanning my pulse secure with any vulnerability scanner (qualeys, nessus) results the scanner saying HSTS has not been implemented.

zanyterp · ‎03-25-2022

please open a case with our support team to confirm; however, i would expect only a 404 when connecting to the appliance if that URL does not exist on the system.
do you have any of your sign-in urls configured for "*/" or do they all require a specific hostname and path?

sksksk · ‎03-25-2022

We intentionally do not have a realm at */ as a form of security through obscurity I suppose

(no login prompt just because you happen to guess the domain or stumble across the IP)

zanyterp · ‎03-28-2022

thank you
i believe that is a correct response based on your configuration. if you connect with an invalid url there will be nothing to show

HSTS implementation bug?

HSTS implementation bug?

Re: HSTS implementation bug?

Re: HSTS implementation bug?

Re: HSTS implementation bug?